b'                AUDIT OF SBA\xe2\x80\x99S FY 1999 FINANCIAL STATEMENTS\n\n                             MANAGEMENT LETTER\n\n                             AUDIT REPORT NO. 0-13\n\n                                 MARCH 29, 2000\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC\n1905 and must not be released to the public or another agency without permission\nof the Office of Inspector General.\n\x0c                       U.S. SMALL BUSINESS ADMINSITRATION\n                          OFFICE OF INSPECTOR GENERAL\n                              WASHINGTON, D.C. 20416\n\n\n\n\n                                                               AUDIT REPORT\n                                                         Issue Date: March 29, 2000\n                                                         Number: 0-13\n\n\n\nTo:           Joseph P. Loddo, Chief Financial Officer\n\n\n\nFrom:         Robert G. Seabrooks, Assistant Inspector General for Auditing\n\nSubject:      Audit of SBA\xe2\x80\x99s FY 1999 Financial Statements \xe2\x80\x93 Management Letter\n\n       Pursuant to the Chief Financial Officers Act of 1990, attached is the Independent\nAuditor\xe2\x80\x99s Management Letter, issued by Cotton & Company, LLP. The report identifies\nconditions related to (1) subsidy modeling and re-estimating, (2) safeguarding computer\nequipment, and (3) duplicate payments. The conditions were identified during the audit of\nSBA\xe2\x80\x99s Fiscal Year 1999 financial statements, but were not required to be included in the\nAuditor\xe2\x80\x99s Report. Also attached is your response to the draft report, in which you generally\nagreed with the findings and recommendations.\n\n      The finding in this report are based on the auditors\xe2\x80\x99 conclusions, and the\nreport recommendations are subject to review, management decision, and action by\nyour office in accordance with existing Agency procedures for audit follow-up and\nresolution. Please provide your management decisions for the recommendations within\n30 days using the attached SBA Forms 1824, Recommendation Action Sheet.\n\n       Should you or your staff have any questions, please contact Robert G. Hultberg,\nActing Director, Business Development Programs Group at (202) 205-7204.\n\nAttachments\n\x0c                COTTON & COMPANY LLP\n                                     CERTIFIED PUBLIC ACCOUNTANTS\n                    333 NORTH FAIRFAX STREET \xe2\x80\xa2 SUITE 401 \xe2\x80\xa2 ALEXANDRIA, VIRGINIA 22314\n\nDAVID L. COTTON, CPA, CFE               MICHAEL W. GILLESPIE, CPA, CFE           ELLEN P. REED, CPA\nCHARLES HAYWARD, CPA, CPE               CATHERINE L. NOCERA, CPA                 MATTHEW H. JOHNSON, CPA\n\n\n\n\n                                             February 14, 2000\n\n\n                                MANAGEMENT LETTER COMMENTS\n                             INDEPENDENT AUDIT OF FISCAL YEAR 1999\n                                    FINANCIAL STATEMENTS\n\nInspector General\nU.S. Small Business Administration\n\n        We have audited the U.S. Small Business Administration\xe2\x80\x99s (SBA) principal financial statements as\nof September 30, 1999, and for the year then ended, and have issued our reports, dated February 14, 2000, to\nSBA under separate cover. Those reports included our reports on SBA\xe2\x80\x99s internal control and compliance\nwith laws and regulations.\n\n         The purpose of this management letter is to communicate three nonreportable findings to SBA\nmanagement. Of these three, we reported Finding No. 1 in our Fiscal Year 1998 report on SBA\xe2\x80\x99s internal\ncontrol.\n\n        This letter is intended solely for the information and use of SBA management.\n\n        We would like to express our appreciation to the SBA representatives who assisted us in completing\nour audit. They were always courteous, helpful, and professional.\n\n                                                        Very truly yours,\n\n                                                        COTTON & COMPANY LLP\n\n\n\n\n   703/836-6701 \xe2\x80\xa2   FAX 703/836-0941\xe2\x80\xa2 HTTP://WWW.COTTONCPA.COM \xe2\x80\xa2 E-MAIL: DCOTTON@COTTONCPA.COM\n\x0c                          INDEPENDENT AUDIT OF FISCAL YEAR 1999\n                                   FINANCIAL STATEMENTS\n                            U.S. SMALL BUSINESS ADMINISTRATION\n                                  NONREPORTABLE FINDINGS\n\n\n         Certain nonreportable findings came to our attention during the audit of the U.S. Small Business\nAdministration\xe2\x80\x99s (SBA) Fiscal Year (FY) 1999 financial statements. All findings are related to SBA\xe2\x80\x99s\ninternal control.\n\n        We reported Finding No. 1 in our FY 1998 audit report on internal control. Where SBA partially\naddressed our recommendations, we modified our findings and recommendations.\n\n1.      Subsidy Modeling and Re-Estimation Process\n\n          SBA\xe2\x80\x99s quality control process over subsidy modeling and re-estimating, while much improved,\nstill is not completely effective. In our FY 1998 audit report on internal control, we recommended that\nthe Office of the Chief Financial Officer (OCFO):\n\n        \xe2\x80\xa2       Continue to refine its quality assurance process to ensure that peer and supervisory\n                reviewers have the experience, training, and time to perform reviews commensurate with\n                the inherently high risk associated with SBA\xe2\x80\x99s existing re-estimate process.\n\n        \xe2\x80\xa2       Arrange for an independent review of the new disaster models and ensure that the new\n                models produce reliable and reasonable re-estimates before submitting the re-estimates\n                for audit.\n\n        In response to these recommendations, SBA developed comprehensive policies and\nprocedures for preparing subsidy estimates and re-estimates, which included an overview of the\nprocess, programs, and assumptions; data documentation and training requirements; and\ndeliverables and a timeline for their completion. SBA also improved its quality assurance process\nto include peer review by an analyst not responsible for preparing the re-estimate as well as a\nsupervisory review.\n\n        Further, SBA designed a new cash flow model for disaster budget submission as well as\nre-estimates. As recommended, SBA relied upon the review of an independent contractor to\nensure that the new model produced reliable and reasonable re-estimates.\n\n        Even with these improvements, we found cell reference errors and computational errors, as well\nas inconsistent treatment of Office of Management and Budget-prescribed interest rates within\nspreadsheets prepared for SBA\xe2\x80\x99s separate programs. We did note, however, that the number of errors and\nassociated dollar amounts were reduced from last year.\n\n        We found that most errors occurred when a model had to be revised, but was not completely\nreviewed as the result of time constraints. We also found that peer and supervisory reviews were\ngenerally effective, even though SBA did not have procedures in place to ensure that each review was\nthorough and performed consistently among programs.\n\n        We recommend that the Chief Financial Officer (CFO) direct the Director of the Office of\nFinancial Analysis to:\n\n                                                    1\n\x0c        \xe2\x80\xa2       Continue to document and standardize the subsidy modeling and re-estimation process\n                and quality reviews now in place.\n\n        \xe2\x80\xa2       Develop a checklist for use by both the preparer and the reviewer of the subsidy model\n                and re-estimates.\n\n        \xe2\x80\xa2       Update the policy and procedures manual annually.\n\n        \xe2\x80\xa2       Require a review of all models when any modifications are made.\n\n\n2.      Safeguarding Computer Equipment\n\n         As part of our audit, we attempted to conduct inventories of computer equipment at various\noffices we visited. Specifically, we attempted to obtain inventory listings of personal computers and\nverify existence through observation. We could not conduct these tests, however, because SBA does not\nhave a centralized computer inventory database, and program and field offices do not keep adequate, up-\nto-date inventories of computer equipment. Further, we found that surplus computers are not properly\nsanitized of data before disposal.\n\n        The General Accounting Office\xe2\x80\x99s (GAO) Standards for Internal Control in the Federal\nGovernment states that an agency must establish physical control to secure and safeguard vulnerable\nassets and such assets should be periodically counted and compared to control records.\n\n       SBA does not have written procedures or standardized practices for tracking and disposing of\ncomputer equipment. As a result, computer equipment is not properly controlled.\n\n        We recommend that the CFO:\n\n        \xe2\x80\xa2       Develop written procedures and policies for tracking and disposing of computer\n                equipment.\n\n        \xe2\x80\xa2       Establish a centralized inventory database.\n\n        \xe2\x80\xa2       Perform periodic inventories of computer equipment and compare results to the inventory\n                database.\n\n        \xe2\x80\xa2       Establish disposal procedures for computer equipment that include sanitizing data\n                remaining on hard drives of surplus equipment.\n\n\n3.      Duplicate Payments\n\n        SBA provides grants to Small Business Development Centers (SBDC). An SBDC requests\nreimbursement of expenses incurred by periodically submitting a Request for Funds form to SBA. Before\nreimbursing expenses, SBA\xe2\x80\x99s Denver Finance Center (DFC) verifies that obligations exist within the\nFederal Financial System (FFS) to cover the amount of the invoice.\n\n        In conducting testing over payments to SBDCs, we randomly selected 50 payments and verified\nthe appropriateness of these payments. In our sample, we found a duplicate payment for $289,499. As a\n                                                    2\n\x0cresult, we expanded our testing to determine whether     other duplicate payments existed. To\naccomplish this, we sorted all payments by dollar amount and extracted those in which the same amount\nwas listed more than once. We identified one other duplicate payment for $36,216.\n\n        Duplicate payments totaling $325,715 occurred when SBA paid on the basis of a faxed copy of\nthe Request for Funds form and paid again when the original document was received. Further, the system\nallowed the processing of duplicate payments, because obligations outstanding for the SBDCs exceeded\nthe duplicate payment amounts.\n\n        In response to our finding, DFC immediately contacted the SBDCs and requested refunds for the\nduplicate payments.\n\n       We recommend that the CFO direct the DFC Director to:\n\n       \xe2\x80\xa2       Establish controls within FFS requiring entry of a control number from the Request for\n               Funds form and rejection of requests with duplicate numbers.\n\n       \xe2\x80\xa2       Pay SBDC requests only from original documents.\n\n       \xe2\x80\xa2       Verify that no duplicate payments have occurred in the past 3 years.\n\n\n\n\n                                                   3\n\x0c                        U.S. SMALL BUSINESS ADMINISTRATION\n                                    WASHINGTON, D.C. 20416\n\n\n\nDATE:          MARCH 3, 2000\n\nTO:            Robert G. Seabrooks\n               Assistant Inspector General\n               for Auditing\n\n\n\nFROM:          Joseph P. Loddo\n               Chief Financial Officer\n\nSUBJECT:       Audit of SBA\xe2\x80\x99s FY 1999 Financial Statements \xe2\x80\x93 Management Letter\n\nWe have reviewed the draft management letter by Cotton & Company for SBA\xe2\x80\x99s FY 1999\nfinancial audit. The SBA is committed to prompt and effective attention to all items in its\nfinancial audit. Cotton has identified three non-reportable items including 1) subsidy modeling,\n2) personal computer inventories and 3) SBDC duplicate payments. We are pleased to note that\nthe first item on subsidy rates was downgraded this year from a reported material internal control\nweakness, and we are working now to eliminate this item. The other two items are new this year\nand we have already begun work to eliminate them for FY 2000. We are also pleased to note\nthat the two items in your FY 1998 management letter on SBDC agreements and capitalized\nproperty have been addressed by SBA and are not repeated in this years letter. Further\ncomments on the three items in your FY 1999 management letter follow.\n\n1. Subsidy Modeling and Re-estimation Process\n\nWe appreciate Cotton\xe2\x80\x99s recognition of the SBA\xe2\x80\x99s improvements to this process and are proud to\nnote that for FY 1999, credit subsidy processing was completed on time without material errors.\nWe are committed to further improvements to our standard procedures for the subsidy process\nand also improved quality assurance activities in order to eliminate this weakness. We will\nfurther update our policy and procedures manual governing the subsidy process. It is updated\neach Spring by the subsidy analysts, and this year the Disaster model will receive special\nattention. We will improve upon the quality assurance checklist and reviews already in place.\nOur response to your final audit report for the management letter will provide details on these\nimprovements.\n\n2. Safeguarding Computer Equipment\n\nThe SBA currently has an inventory control system in place that safeguards our computer\nequipment against material loss. The Fixed Asset Accounting System (FAAS) provides a system\nand a standardized process to update inventories of computer and other equipment. In addition,\nour Office of the Chief Information Officer conducts inventories of computer equipment several\n\x0ctimes a year. SBA office information technology personnel also maintain inventories of their\ncomputer equipment. These measures are sufficient considering the risk of loss to provide\nadequate safeguards against material losses.\n\nThe SBA will implement improvements to our current inventory of computer equipment to\naddress the issued raised by Cotton. A vendor maintained asset tracking system possiblty using\nbarcodes will be maintained for all computer equipment purchased beginning in FY 2000 that\nshows the location of all equipment by ship-to point. Also, automated tools will be used to\nidentify and track all hardware and software assets attached to the Agency\xe2\x80\x99s network in the near\nfuture. Finally, procedures for the disposal of computer equipment that sanitize data on hard\ndrives for obsolete equipment will be developed. The response to your final audit report on the\nmanagement letter will provide further details on improvements to this item.\n\n3. Duplicate Payments\n\nOur financial office in Denver has already begun improvements to avoid duplicate disbursements\non SBDC grants. A reconciliation of payments over the last three years has been completed to\nverify that no additional duplicate payments occurred. A new form will be used to better control\nrequests for SBDC disbursements and a standardized procedure will be used to pay from fax\ncopies, with a review of original copy requests received. Our response to your final audit report\nfor the management letter will provide details on these improvements.\n\n\nThe SBA is committed to being a 21st century leading-edge institution. Part of this commitment\nis the prompt, effective attention to all financial audit items. Therefore, we look forward to\nworking with you and our external auditor, Cotton & Company, during FY 2000 to resolve these\nthree management letter items. Any questions may be addressed to John Kushman or Louise\nWilson of my staff.\n\x0c                                           REPORT DISTRIBUTION\n\nRecipient                                                                                      No. of Copies\n\nDeputy Administrator....................................................................................1\n\nAssociate Deputy Administrator for Management and Administration..........1\n\nAssociate Administrator for Small Business Development Centers .............1\n\nAssociate Administrator for Field Operations ...............................................1\n\nChief Information Officer ..............................................................................1\n\nGeneral Counsel ..........................................................................................2\n\nU.S. General Accounting Office ...................................................................1\n\nOffice of the Chief Financial Officer\nAttention: Jeff Brown ...................................................................................1\n\x0c'